Purple Teaming: How to Get Red and Blue Working Together

For years, red teams and blue teams operated in silos. The red team runs an engagement, writes a report, throws it over the wall. The blue team reads the report, feels bad about what they missed, and maybe fixes a few things. Three months later, neither side remembers the details. This adversarial dynamic wastes enormous amounts of time and talent.

Purple teaming is not a separate team. It is a methodology where red and blue work together in real time, executing attack techniques and validating detections collaboratively. The red team executes a technique — say, credential dumping from LSASS memory. The blue team watches their SIEM and EDR dashboards in real time. Did the alert fire? Was the alert actionable? If not, they tune the detection together, then rerun the technique to validate the fix.

This feedback loop compresses what used to take months into hours. Instead of discovering detection gaps in a report and fixing them over the next quarter, you discover and fix them in the same session.

Use the MITRE ATT&CK framework as your playbook. Select 10-15 techniques relevant to your threat profile. For each technique, document the expected data sources, the current detection rules, and the expected alert behavior. Then execute.

A typical session looks like this: red team announces "we are going to execute T1059.001 — PowerShell execution with encoded command" and runs the technique. Blue team confirms or denies detection. If detected, record the detection rule ID, time to detect, and fidelity. If not detected, work together to build the detection, deploy it, and retest. Document everything in a shared matrix.

Track detection coverage over time as a percentage of tested ATT&CK techniques. In my experience, organizations typically start at 20-30% coverage and reach 60-70% after four quarterly purple team exercises. The remaining 30-40% usually requires new data sources or architectural changes that take longer to implement.

Also track mean time to detect (MTTD) for techniques you can detect. Getting an alert is not enough — if it takes six hours for the alert to fire and another two hours for an analyst to triage it, an attacker has eight hours of undetected activity. Purple teaming helps you optimize both the detection rule and the triage process.

The adversaries are not playing red team vs blue team. They are playing against your entire security organization. Your teams should be doing the same.